Splunk Search
Highlighted

Create Scatter Diagram That Show Data Fall Within Average Range

Engager

Hi all, i try to create a scatter diagram that will show idea range of values and how many fall within it. I try use timechart but it seem like didn't work. I tried few different way already it still fail. Code below show below is the code using for extract result(show by red colour arrow in picture).

   Customer="xyz" ID=yvalue |timechart span=1m avg(Value) as yvalue 
  |appendcols [search Customer="xyz" ID=xvalue |timechart span=1m avg(Value) as xvalue] 
  |table xvalue, yvalue

And i need 1 more coding for draw the result acceptable range as show at the image below:

alt text

And i wish to display the rage of it as show by black colour error in the picture. Mind to share with me how should i achieve it. Thank you very much.

0 Karma
Highlighted

Re: Create Scatter Diagram That Show Data Fall Within Average Range

SplunkTrust
SplunkTrust

Helping with this one will require us to understand more about the underlying data.

We have literally no idea what kind of values of yvalue might be acceptable for any given xvalue.

I did notice that you aren't really using _time for anything, so don't use timechart, just use stats. Also, just in case your files ever get big, you might run into problems with the maximum record limits of a subsearch on your | append. You can make them part of the regular search, and that problem will never occur. And, you should always tell splunk what index(es) you want to look at.

index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
| bin _time span=1m
| xvalue=if(ID=xvalue,Value,null())
| yvalue=if(ID=yvalue,Value,null())
| stats avg(xvalue) as xvalue, avg(yvalue) as yvalue by Customer _time
| table xvalue yvalue

If there is some relationship between the xvalues and yvalues, then code like this might help you figure out what it is

| bin bins=10  xvalue as xbin
| bin bins=10  yvalue as ybin
| chart count over xbin by ybin

...or...

| bin bins=10  xvalue as xbin
| rex mode=sed field=xbin "s/-\d+$//g"
| eval xbin=tonumber(xbin)
| stats 
    avg(yvalue) as yavg, stdev(yvalue) as ystdev,  sum(yvalue) as yweight,
    perc10(yvalue) as y10, perc90(yvalue) as y90, count as ycount  
    by xbin 
| eval series ="by xbin"
| xyseries xbin series yavg ystdev y10 y90 ycount
0 Karma
Highlighted

Re: Create Scatter Diagram That Show Data Fall Within Average Range

Engager

Hi Dal, thank you very much for your response. when i replace my code with

  index=foo Customer="xyz" (ID=xvalue OR ID=yvalue)
 | bin _time span=1m
 | xvalue=if(ID=xvalue,Value,null())
 | yvalue=if(ID=yvalue,Value,null())

it didn't work. I got an error message: Unknown search command 'xvalue'. Would you mind to share with me how to resolve it? Thank you very much

0 Karma
Highlighted

Re: Create Scatter Diagram That Show Data Fall Within Average Range

Engager

I found it need to add "Eval" in front of it.

0 Karma
Highlighted

Re: Create Scatter Diagram That Show Data Fall Within Average Range

Engager

For your information acceptable range show by black colour arrows is theoretical value calculated. Meanwhile value show by red colour arrow is value we get for experiment.

0 Karma